1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * * Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * * Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in
12 * the documentation and/or other materials provided with the
13 * distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
16 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
17 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
18 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
19 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
21 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
22 * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
23 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
24 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
25 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <linux/auxvec.h>
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <unistd.h>
35 #include <fcntl.h>
36 #include <errno.h>
37 #include <dlfcn.h>
38 #include <sys/stat.h>
39
40 #include <pthread.h>
41
42 #include <sys/mman.h>
43
44 #include <sys/atomics.h>
45
46 /* special private C library header - see Android.mk */
47 #include <bionic_tls.h>
48
49 #include "linker.h"
50 #include "linker_debug.h"
51
52 #include "ba.h"
53
54 #define SO_MAX 96
55
56 /* Assume average path length of 64 and max 8 paths */
57 #define LDPATH_BUFSIZE 512
58 #define LDPATH_MAX 8
59
60 /* >>> IMPORTANT NOTE - READ ME BEFORE MODIFYING <<<
61 *
62 * Do NOT use malloc() and friends or pthread_*() code here.
63 * Don't use printf() either; it's caused mysterious memory
64 * corruption in the past.
65 * The linker runs before we bring up libc and it's easiest
66 * to make sure it does not depend on any complex libc features
67 *
68 * open issues / todo:
69 *
70 * - should we do anything special for STB_WEAK symbols?
71 * - are we doing everything we should for ARM_COPY relocations?
72 * - cleaner error reporting
73 * - after linking, set as much stuff as possible to READONLY
74 * and NOEXEC
75 * - linker hardcodes PAGE_SIZE and PAGE_MASK because the kernel
76 * headers provide versions that are negative...
77 * - allocate space for soinfo structs dynamically instead of
78 * having a hard limit (64)
79 */
80
81
82 static int link_image(soinfo *si, unsigned wr_offset);
83
84 static int socount = 0;
85 static soinfo sopool[SO_MAX];
86 static soinfo *freelist = NULL;
87 static soinfo *solist = &libdl_info;
88 static soinfo *sonext = &libdl_info;
89
90 static char ldpaths_buf[LDPATH_BUFSIZE];
91 static const char *ldpaths[LDPATH_MAX + 1];
92
93 int debug_verbosity;
94 static int pid;
95
96 #if STATS
97 struct _link_stats linker_stats;
98 #endif
99
100 #if COUNT_PAGES
101 unsigned bitmask[4096];
102 #endif
103
104 #ifndef PT_ARM_EXIDX
105 #define PT_ARM_EXIDX 0x70000001 /* .ARM.exidx segment */
106 #endif
107
108 #define HOODLUM(name, ret, ...) \
109 ret name __VA_ARGS__ \
110 { \
111 char errstr[] = "ERROR: " #name " called from the dynamic linker!\n"; \
112 write(2, errstr, sizeof(errstr)); \
113 abort(); \
114 }
115 HOODLUM(malloc, void *, (size_t size));
116 HOODLUM(free, void, (void *ptr));
117 HOODLUM(realloc, void *, (void *ptr, size_t size));
118 HOODLUM(calloc, void *, (size_t cnt, size_t size));
119
120 static char tmp_err_buf[768];
121 static char __linker_dl_err_buf[768];
122 #define DL_ERR(fmt, x...) \
123 do { \
124 snprintf(__linker_dl_err_buf, sizeof(__linker_dl_err_buf), \
125 "%s[%d]: " fmt, __func__, __LINE__, ##x); \
126 ERROR(fmt "\n", ##x); \
127 } while(0)
128
linker_get_error(void)129 const char *linker_get_error(void)
130 {
131 return (const char *)&__linker_dl_err_buf[0];
132 }
133
134 /*
135 * This function is an empty stub where GDB locates a breakpoint to get notified
136 * about linker activity.
137 */
138 extern void __attribute__((noinline)) rtld_db_dlactivity(void);
139
140 static struct r_debug _r_debug = {1, NULL, &rtld_db_dlactivity,
141 RT_CONSISTENT, 0};
142 static struct link_map *r_debug_tail = 0;
143
144 static pthread_mutex_t _r_debug_lock = PTHREAD_MUTEX_INITIALIZER;
145
insert_soinfo_into_debug_map(soinfo * info)146 static void insert_soinfo_into_debug_map(soinfo * info)
147 {
148 struct link_map * map;
149
150 /* Copy the necessary fields into the debug structure.
151 */
152 map = &(info->linkmap);
153 map->l_addr = info->base;
154 map->l_name = (char*) info->name;
155
156 /* Stick the new library at the end of the list.
157 * gdb tends to care more about libc than it does
158 * about leaf libraries, and ordering it this way
159 * reduces the back-and-forth over the wire.
160 */
161 if (r_debug_tail) {
162 r_debug_tail->l_next = map;
163 map->l_prev = r_debug_tail;
164 map->l_next = 0;
165 } else {
166 _r_debug.r_map = map;
167 map->l_prev = 0;
168 map->l_next = 0;
169 }
170 r_debug_tail = map;
171 }
172
remove_soinfo_from_debug_map(soinfo * info)173 static void remove_soinfo_from_debug_map(soinfo * info)
174 {
175 struct link_map * map = &(info->linkmap);
176
177 if (r_debug_tail == map)
178 r_debug_tail = map->l_prev;
179
180 if (map->l_prev) map->l_prev->l_next = map->l_next;
181 if (map->l_next) map->l_next->l_prev = map->l_prev;
182 }
183
notify_gdb_of_load(soinfo * info)184 void notify_gdb_of_load(soinfo * info)
185 {
186 if (info->flags & FLAG_EXE) {
187 // GDB already knows about the main executable
188 return;
189 }
190
191 pthread_mutex_lock(&_r_debug_lock);
192
193 _r_debug.r_state = RT_ADD;
194 rtld_db_dlactivity();
195
196 insert_soinfo_into_debug_map(info);
197
198 _r_debug.r_state = RT_CONSISTENT;
199 rtld_db_dlactivity();
200
201 pthread_mutex_unlock(&_r_debug_lock);
202 }
203
notify_gdb_of_unload(soinfo * info)204 void notify_gdb_of_unload(soinfo * info)
205 {
206 if (info->flags & FLAG_EXE) {
207 // GDB already knows about the main executable
208 return;
209 }
210
211 pthread_mutex_lock(&_r_debug_lock);
212
213 _r_debug.r_state = RT_DELETE;
214 rtld_db_dlactivity();
215
216 remove_soinfo_from_debug_map(info);
217
218 _r_debug.r_state = RT_CONSISTENT;
219 rtld_db_dlactivity();
220
221 pthread_mutex_unlock(&_r_debug_lock);
222 }
223
notify_gdb_of_libraries()224 void notify_gdb_of_libraries()
225 {
226 _r_debug.r_state = RT_ADD;
227 rtld_db_dlactivity();
228 _r_debug.r_state = RT_CONSISTENT;
229 rtld_db_dlactivity();
230 }
231
alloc_info(const char * name)232 static soinfo *alloc_info(const char *name)
233 {
234 soinfo *si;
235
236 if(strlen(name) >= SOINFO_NAME_LEN) {
237 DL_ERR("%5d library name %s too long", pid, name);
238 return 0;
239 }
240
241 /* The freelist is populated when we call free_info(), which in turn is
242 done only by dlclose(), which is not likely to be used.
243 */
244 if (!freelist) {
245 if(socount == SO_MAX) {
246 DL_ERR("%5d too many libraries when loading %s", pid, name);
247 return NULL;
248 }
249 freelist = sopool + socount++;
250 freelist->next = NULL;
251 }
252
253 si = freelist;
254 freelist = freelist->next;
255
256 /* Make sure we get a clean block of soinfo */
257 memset(si, 0, sizeof(soinfo));
258 strcpy((char*) si->name, name);
259 sonext->next = si;
260 si->ba_index = -1; /* by default, prelinked */
261 si->next = NULL;
262 si->refcount = 0;
263 sonext = si;
264
265 TRACE("%5d name %s: allocated soinfo @ %p\n", pid, name, si);
266 return si;
267 }
268
free_info(soinfo * si)269 static void free_info(soinfo *si)
270 {
271 soinfo *prev = NULL, *trav;
272
273 TRACE("%5d name %s: freeing soinfo @ %p\n", pid, si->name, si);
274
275 for(trav = solist; trav != NULL; trav = trav->next){
276 if (trav == si)
277 break;
278 prev = trav;
279 }
280 if (trav == NULL) {
281 /* si was not ni solist */
282 DL_ERR("%5d name %s is not in solist!", pid, si->name);
283 return;
284 }
285
286 /* prev will never be NULL, because the first entry in solist is
287 always the static libdl_info.
288 */
289 prev->next = si->next;
290 if (si == sonext) sonext = prev;
291 si->next = freelist;
292 freelist = si;
293 }
294
295 #ifndef LINKER_TEXT_BASE
296 #error "linker's makefile must define LINKER_TEXT_BASE"
297 #endif
298 #ifndef LINKER_AREA_SIZE
299 #error "linker's makefile must define LINKER_AREA_SIZE"
300 #endif
301 #define LINKER_BASE ((LINKER_TEXT_BASE) & 0xfff00000)
302 #define LINKER_TOP (LINKER_BASE + (LINKER_AREA_SIZE))
303
addr_to_name(unsigned addr)304 const char *addr_to_name(unsigned addr)
305 {
306 soinfo *si;
307
308 for(si = solist; si != 0; si = si->next){
309 if((addr >= si->base) && (addr < (si->base + si->size))) {
310 return si->name;
311 }
312 }
313
314 if((addr >= LINKER_BASE) && (addr < LINKER_TOP)){
315 return "linker";
316 }
317
318 return "";
319 }
320
321 /* For a given PC, find the .so that it belongs to.
322 * Returns the base address of the .ARM.exidx section
323 * for that .so, and the number of 8-byte entries
324 * in that section (via *pcount).
325 *
326 * Intended to be called by libc's __gnu_Unwind_Find_exidx().
327 *
328 * This function is exposed via dlfcn.c and libdl.so.
329 */
330 #ifdef ANDROID_ARM_LINKER
dl_unwind_find_exidx(_Unwind_Ptr pc,int * pcount)331 _Unwind_Ptr dl_unwind_find_exidx(_Unwind_Ptr pc, int *pcount)
332 {
333 soinfo *si;
334 unsigned addr = (unsigned)pc;
335
336 if ((addr < LINKER_BASE) || (addr >= LINKER_TOP)) {
337 for (si = solist; si != 0; si = si->next){
338 if ((addr >= si->base) && (addr < (si->base + si->size))) {
339 *pcount = si->ARM_exidx_count;
340 return (_Unwind_Ptr)(si->base + (unsigned long)si->ARM_exidx);
341 }
342 }
343 }
344 *pcount = 0;
345 return NULL;
346 }
347 #elif defined(ANDROID_X86_LINKER)
348 /* Here, we only have to provide a callback to iterate across all the
349 * loaded libraries. gcc_eh does the rest. */
350 int
dl_iterate_phdr(int (* cb)(struct dl_phdr_info * info,size_t size,void * data),void * data)351 dl_iterate_phdr(int (*cb)(struct dl_phdr_info *info, size_t size, void *data),
352 void *data)
353 {
354 soinfo *si;
355 struct dl_phdr_info dl_info;
356 int rv = 0;
357
358 for (si = solist; si != NULL; si = si->next) {
359 dl_info.dlpi_addr = si->linkmap.l_addr;
360 dl_info.dlpi_name = si->linkmap.l_name;
361 dl_info.dlpi_phdr = si->phdr;
362 dl_info.dlpi_phnum = si->phnum;
363 rv = cb(&dl_info, sizeof (struct dl_phdr_info), data);
364 if (rv != 0)
365 break;
366 }
367 return rv;
368 }
369 #endif
370
_elf_lookup(soinfo * si,unsigned hash,const char * name)371 static Elf32_Sym *_elf_lookup(soinfo *si, unsigned hash, const char *name)
372 {
373 Elf32_Sym *s;
374 Elf32_Sym *symtab = si->symtab;
375 const char *strtab = si->strtab;
376 unsigned n;
377
378 TRACE_TYPE(LOOKUP, "%5d SEARCH %s in %s@0x%08x %08x %d\n", pid,
379 name, si->name, si->base, hash, hash % si->nbucket);
380 n = hash % si->nbucket;
381
382 for(n = si->bucket[hash % si->nbucket]; n != 0; n = si->chain[n]){
383 s = symtab + n;
384 if(strcmp(strtab + s->st_name, name)) continue;
385
386 /* only concern ourselves with global symbols */
387 switch(ELF32_ST_BIND(s->st_info)){
388 case STB_GLOBAL:
389 /* no section == undefined */
390 if(s->st_shndx == 0) continue;
391
392 case STB_WEAK:
393 TRACE_TYPE(LOOKUP, "%5d FOUND %s in %s (%08x) %d\n", pid,
394 name, si->name, s->st_value, s->st_size);
395 return s;
396 }
397 }
398
399 return 0;
400 }
401
elfhash(const char * _name)402 static unsigned elfhash(const char *_name)
403 {
404 const unsigned char *name = (const unsigned char *) _name;
405 unsigned h = 0, g;
406
407 while(*name) {
408 h = (h << 4) + *name++;
409 g = h & 0xf0000000;
410 h ^= g;
411 h ^= g >> 24;
412 }
413 return h;
414 }
415
416 static Elf32_Sym *
_do_lookup_in_so(soinfo * si,const char * name,unsigned * elf_hash)417 _do_lookup_in_so(soinfo *si, const char *name, unsigned *elf_hash)
418 {
419 if (*elf_hash == 0)
420 *elf_hash = elfhash(name);
421 return _elf_lookup (si, *elf_hash, name);
422 }
423
424 /* This is used by dl_sym() */
lookup_in_library(soinfo * si,const char * name)425 Elf32_Sym *lookup_in_library(soinfo *si, const char *name)
426 {
427 unsigned unused = 0;
428 return _do_lookup_in_so(si, name, &unused);
429 }
430
431 static Elf32_Sym *
_do_lookup(soinfo * user_si,const char * name,unsigned * base)432 _do_lookup(soinfo *user_si, const char *name, unsigned *base)
433 {
434 unsigned elf_hash = 0;
435 Elf32_Sym *s = NULL;
436 soinfo *si;
437
438 /* Look for symbols in the local scope first (the object who is
439 * searching). This happens with C++ templates on i386 for some
440 * reason. */
441 if (user_si) {
442 s = _do_lookup_in_so(user_si, name, &elf_hash);
443 if (s != NULL)
444 *base = user_si->base;
445 }
446
447 for(si = solist; (s == NULL) && (si != NULL); si = si->next)
448 {
449 if((si->flags & FLAG_ERROR) || (si == user_si))
450 continue;
451 s = _do_lookup_in_so(si, name, &elf_hash);
452 if (s != NULL) {
453 *base = si->base;
454 break;
455 }
456 }
457
458 if (s != NULL) {
459 TRACE_TYPE(LOOKUP, "%5d %s s->st_value = 0x%08x, "
460 "si->base = 0x%08x\n", pid, name, s->st_value, si->base);
461 return s;
462 }
463
464 return 0;
465 }
466
467 /* This is used by dl_sym() */
lookup(const char * name,unsigned * base)468 Elf32_Sym *lookup(const char *name, unsigned *base)
469 {
470 return _do_lookup(NULL, name, base);
471 }
472
473 #if 0
474 static void dump(soinfo *si)
475 {
476 Elf32_Sym *s = si->symtab;
477 unsigned n;
478
479 for(n = 0; n < si->nchain; n++) {
480 TRACE("%5d %04d> %08x: %02x %04x %08x %08x %s\n", pid, n, s,
481 s->st_info, s->st_shndx, s->st_value, s->st_size,
482 si->strtab + s->st_name);
483 s++;
484 }
485 }
486 #endif
487
488 static const char *sopaths[] = {
489 "/system/lib",
490 "/lib",
491 0
492 };
493
_open_lib(const char * name)494 static int _open_lib(const char *name)
495 {
496 int fd;
497 struct stat filestat;
498
499 if ((stat(name, &filestat) >= 0) && S_ISREG(filestat.st_mode)) {
500 if ((fd = open(name, O_RDONLY)) >= 0)
501 return fd;
502 }
503
504 return -1;
505 }
506
open_library(const char * name)507 static int open_library(const char *name)
508 {
509 int fd;
510 char buf[512];
511 const char **path;
512 int n;
513
514 TRACE("[ %5d opening %s ]\n", pid, name);
515
516 if(name == 0) return -1;
517 if(strlen(name) > 256) return -1;
518
519 if ((name[0] == '/') && ((fd = _open_lib(name)) >= 0))
520 return fd;
521
522 for (path = ldpaths; *path; path++) {
523 n = snprintf(buf, sizeof(buf), "%s/%s", *path, name);
524 if (n < 0 || n >= (int)sizeof(buf)) {
525 WARN("Ignoring very long library path: %s/%s\n", *path, name);
526 continue;
527 }
528 if ((fd = _open_lib(buf)) >= 0)
529 return fd;
530 }
531 for (path = sopaths; *path; path++) {
532 n = snprintf(buf, sizeof(buf), "%s/%s", *path, name);
533 if (n < 0 || n >= (int)sizeof(buf)) {
534 WARN("Ignoring very long library path: %s/%s\n", *path, name);
535 continue;
536 }
537 if ((fd = _open_lib(buf)) >= 0)
538 return fd;
539 }
540
541 return -1;
542 }
543
544 /* temporary space for holding the first page of the shared lib
545 * which contains the elf header (with the pht). */
546 static unsigned char __header[PAGE_SIZE];
547
548 typedef struct {
549 long mmap_addr;
550 char tag[4]; /* 'P', 'R', 'E', ' ' */
551 } prelink_info_t;
552
553 /* Returns the requested base address if the library is prelinked,
554 * and 0 otherwise. */
555 static unsigned long
is_prelinked(int fd,const char * name)556 is_prelinked(int fd, const char *name)
557 {
558 off_t sz;
559 prelink_info_t info;
560
561 sz = lseek(fd, -sizeof(prelink_info_t), SEEK_END);
562 if (sz < 0) {
563 DL_ERR("lseek() failed!");
564 return 0;
565 }
566
567 if (read(fd, &info, sizeof(info)) != sizeof(info)) {
568 WARN("Could not read prelink_info_t structure for `%s`\n", name);
569 return 0;
570 }
571
572 if (strncmp(info.tag, "PRE ", 4)) {
573 WARN("`%s` is not a prelinked library\n", name);
574 return 0;
575 }
576
577 return (unsigned long)info.mmap_addr;
578 }
579
580 /* verify_elf_object
581 * Verifies if the object @ base is a valid ELF object
582 *
583 * Args:
584 *
585 * Returns:
586 * 0 on success
587 * -1 if no valid ELF object is found @ base.
588 */
589 static int
verify_elf_object(void * base,const char * name)590 verify_elf_object(void *base, const char *name)
591 {
592 Elf32_Ehdr *hdr = (Elf32_Ehdr *) base;
593
594 if (hdr->e_ident[EI_MAG0] != ELFMAG0) return -1;
595 if (hdr->e_ident[EI_MAG1] != ELFMAG1) return -1;
596 if (hdr->e_ident[EI_MAG2] != ELFMAG2) return -1;
597 if (hdr->e_ident[EI_MAG3] != ELFMAG3) return -1;
598
599 /* TODO: Should we verify anything else in the header? */
600
601 return 0;
602 }
603
604
605 /* get_lib_extents
606 * Retrieves the base (*base) address where the ELF object should be
607 * mapped and its overall memory size (*total_sz).
608 *
609 * Args:
610 * fd: Opened file descriptor for the library
611 * name: The name of the library
612 * _hdr: Pointer to the header page of the library
613 * total_sz: Total size of the memory that should be allocated for
614 * this library
615 *
616 * Returns:
617 * -1 if there was an error while trying to get the lib extents.
618 * The possible reasons are:
619 * - Could not determine if the library was prelinked.
620 * - The library provided is not a valid ELF object
621 * 0 if the library did not request a specific base offset (normal
622 * for non-prelinked libs)
623 * > 0 if the library requests a specific address to be mapped to.
624 * This indicates a pre-linked library.
625 */
626 static unsigned
get_lib_extents(int fd,const char * name,void * __hdr,unsigned * total_sz)627 get_lib_extents(int fd, const char *name, void *__hdr, unsigned *total_sz)
628 {
629 unsigned req_base;
630 unsigned min_vaddr = 0xffffffff;
631 unsigned max_vaddr = 0;
632 unsigned char *_hdr = (unsigned char *)__hdr;
633 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)_hdr;
634 Elf32_Phdr *phdr;
635 int cnt;
636
637 TRACE("[ %5d Computing extents for '%s'. ]\n", pid, name);
638 if (verify_elf_object(_hdr, name) < 0) {
639 DL_ERR("%5d - %s is not a valid ELF object", pid, name);
640 return (unsigned)-1;
641 }
642
643 req_base = (unsigned) is_prelinked(fd, name);
644 if (req_base == (unsigned)-1)
645 return -1;
646 else if (req_base != 0) {
647 TRACE("[ %5d - Prelinked library '%s' requesting base @ 0x%08x ]\n",
648 pid, name, req_base);
649 } else {
650 TRACE("[ %5d - Non-prelinked library '%s' found. ]\n", pid, name);
651 }
652
653 phdr = (Elf32_Phdr *)(_hdr + ehdr->e_phoff);
654
655 /* find the min/max p_vaddrs from all the PT_LOAD segments so we can
656 * get the range. */
657 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) {
658 if (phdr->p_type == PT_LOAD) {
659 if ((phdr->p_vaddr + phdr->p_memsz) > max_vaddr)
660 max_vaddr = phdr->p_vaddr + phdr->p_memsz;
661 if (phdr->p_vaddr < min_vaddr)
662 min_vaddr = phdr->p_vaddr;
663 }
664 }
665
666 if ((min_vaddr == 0xffffffff) && (max_vaddr == 0)) {
667 DL_ERR("%5d - No loadable segments found in %s.", pid, name);
668 return (unsigned)-1;
669 }
670
671 /* truncate min_vaddr down to page boundary */
672 min_vaddr &= ~PAGE_MASK;
673
674 /* round max_vaddr up to the next page */
675 max_vaddr = (max_vaddr + PAGE_SIZE - 1) & ~PAGE_MASK;
676
677 *total_sz = (max_vaddr - min_vaddr);
678 return (unsigned)req_base;
679 }
680
681 /* alloc_mem_region
682 *
683 * This function reserves a chunk of memory to be used for mapping in
684 * the shared library. We reserve the entire memory region here, and
685 * then the rest of the linker will relocate the individual loadable
686 * segments into the correct locations within this memory range.
687 *
688 * Args:
689 * si->base: The requested base of the allocation. If 0, a sane one will be
690 * chosen in the range LIBBASE <= base < LIBLAST.
691 * si->size: The size of the allocation.
692 *
693 * Returns:
694 * -1 on failure, and 0 on success. On success, si->base will contain
695 * the virtual address at which the library will be mapped.
696 */
697
reserve_mem_region(soinfo * si)698 static int reserve_mem_region(soinfo *si)
699 {
700 void *base = mmap((void *)si->base, si->size, PROT_READ | PROT_EXEC,
701 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
702 if (base == MAP_FAILED) {
703 DL_ERR("%5d can NOT map (%sprelinked) library '%s' at 0x%08x "
704 "as requested, will try general pool: %d (%s)",
705 pid, (si->base ? "" : "non-"), si->name, si->base,
706 errno, strerror(errno));
707 return -1;
708 } else if (base != (void *)si->base) {
709 DL_ERR("OOPS: %5d %sprelinked library '%s' mapped at 0x%08x, "
710 "not at 0x%08x", pid, (si->base ? "" : "non-"),
711 si->name, (unsigned)base, si->base);
712 munmap(base, si->size);
713 return -1;
714 }
715 return 0;
716 }
717
718 static int
alloc_mem_region(soinfo * si)719 alloc_mem_region(soinfo *si)
720 {
721 if (si->base) {
722 /* Attempt to mmap a prelinked library. */
723 si->ba_index = -1;
724 return reserve_mem_region(si);
725 }
726
727 /* This is not a prelinked library, so we attempt to allocate space
728 for it from the buddy allocator, which manages the area between
729 LIBBASE and LIBLAST.
730 */
731 si->ba_index = ba_allocate(si->size);
732 if(si->ba_index >= 0) {
733 si->base = ba_start_addr(si->ba_index);
734 PRINT("%5d mapping library '%s' at %08x (index %d) " \
735 "through buddy allocator.\n",
736 pid, si->name, si->base, si->ba_index);
737 if (reserve_mem_region(si) < 0) {
738 ba_free(si->ba_index);
739 si->ba_index = -1;
740 si->base = 0;
741 goto err;
742 }
743 return 0;
744 }
745
746 err:
747 DL_ERR("OOPS: %5d cannot map library '%s'. no vspace available.",
748 pid, si->name);
749 return -1;
750 }
751
752 #define MAYBE_MAP_FLAG(x,from,to) (((x) & (from)) ? (to) : 0)
753 #define PFLAGS_TO_PROT(x) (MAYBE_MAP_FLAG((x), PF_X, PROT_EXEC) | \
754 MAYBE_MAP_FLAG((x), PF_R, PROT_READ) | \
755 MAYBE_MAP_FLAG((x), PF_W, PROT_WRITE))
756 /* load_segments
757 *
758 * This function loads all the loadable (PT_LOAD) segments into memory
759 * at their appropriate memory offsets off the base address.
760 *
761 * Args:
762 * fd: Open file descriptor to the library to load.
763 * header: Pointer to a header page that contains the ELF header.
764 * This is needed since we haven't mapped in the real file yet.
765 * si: ptr to soinfo struct describing the shared object.
766 *
767 * Returns:
768 * 0 on success, -1 on failure.
769 */
770 static int
load_segments(int fd,void * header,soinfo * si)771 load_segments(int fd, void *header, soinfo *si)
772 {
773 Elf32_Ehdr *ehdr = (Elf32_Ehdr *)header;
774 Elf32_Phdr *phdr = (Elf32_Phdr *)((unsigned char *)header + ehdr->e_phoff);
775 unsigned char *base = (unsigned char *)si->base;
776 int cnt;
777 unsigned len;
778 unsigned char *tmp;
779 unsigned char *pbase;
780 unsigned char *extra_base;
781 unsigned extra_len;
782 unsigned total_sz = 0;
783
784 si->wrprotect_start = 0xffffffff;
785 si->wrprotect_end = 0;
786
787 TRACE("[ %5d - Begin loading segments for '%s' @ 0x%08x ]\n",
788 pid, si->name, (unsigned)si->base);
789 /* Now go through all the PT_LOAD segments and map them into memory
790 * at the appropriate locations. */
791 for (cnt = 0; cnt < ehdr->e_phnum; ++cnt, ++phdr) {
792 if (phdr->p_type == PT_LOAD) {
793 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid);
794 /* we want to map in the segment on a page boundary */
795 tmp = base + (phdr->p_vaddr & (~PAGE_MASK));
796 /* add the # of bytes we masked off above to the total length. */
797 len = phdr->p_filesz + (phdr->p_vaddr & PAGE_MASK);
798
799 TRACE("[ %d - Trying to load segment from '%s' @ 0x%08x "
800 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x ]\n", pid, si->name,
801 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset);
802 pbase = mmap(tmp, len, PFLAGS_TO_PROT(phdr->p_flags),
803 MAP_PRIVATE | MAP_FIXED, fd,
804 phdr->p_offset & (~PAGE_MASK));
805 if (pbase == MAP_FAILED) {
806 DL_ERR("%d failed to map segment from '%s' @ 0x%08x (0x%08x). "
807 "p_vaddr=0x%08x p_offset=0x%08x", pid, si->name,
808 (unsigned)tmp, len, phdr->p_vaddr, phdr->p_offset);
809 goto fail;
810 }
811
812 /* If 'len' didn't end on page boundary, and it's a writable
813 * segment, zero-fill the rest. */
814 if ((len & PAGE_MASK) && (phdr->p_flags & PF_W))
815 memset((void *)(pbase + len), 0, PAGE_SIZE - (len & PAGE_MASK));
816
817 /* Check to see if we need to extend the map for this segment to
818 * cover the diff between filesz and memsz (i.e. for bss).
819 *
820 * base _+---------------------+ page boundary
821 * . .
822 * | |
823 * . .
824 * pbase _+---------------------+ page boundary
825 * | |
826 * . .
827 * base + p_vaddr _| |
828 * . \ \ .
829 * . | filesz | .
830 * pbase + len _| / | |
831 * <0 pad> . . .
832 * extra_base _+------------|--------+ page boundary
833 * / . . .
834 * | . . .
835 * | +------------|--------+ page boundary
836 * extra_len-> | | | |
837 * | . | memsz .
838 * | . | .
839 * \ _| / |
840 * . .
841 * | |
842 * _+---------------------+ page boundary
843 */
844 tmp = (unsigned char *)(((unsigned)pbase + len + PAGE_SIZE - 1) &
845 (~PAGE_MASK));
846 if (tmp < (base + phdr->p_vaddr + phdr->p_memsz)) {
847 extra_len = base + phdr->p_vaddr + phdr->p_memsz - tmp;
848 TRACE("[ %5d - Need to extend segment from '%s' @ 0x%08x "
849 "(0x%08x) ]\n", pid, si->name, (unsigned)tmp, extra_len);
850 /* map in the extra page(s) as anonymous into the range.
851 * This is probably not necessary as we already mapped in
852 * the entire region previously, but we just want to be
853 * sure. This will also set the right flags on the region
854 * (though we can probably accomplish the same thing with
855 * mprotect).
856 */
857 extra_base = mmap((void *)tmp, extra_len,
858 PFLAGS_TO_PROT(phdr->p_flags),
859 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,
860 -1, 0);
861 if (extra_base == MAP_FAILED) {
862 DL_ERR("[ %5d - failed to extend segment from '%s' @ 0x%08x"
863 " (0x%08x) ]", pid, si->name, (unsigned)tmp,
864 extra_len);
865 goto fail;
866 }
867 /* TODO: Check if we need to memset-0 this region.
868 * Anonymous mappings are zero-filled copy-on-writes, so we
869 * shouldn't need to. */
870 TRACE("[ %5d - Segment from '%s' extended @ 0x%08x "
871 "(0x%08x)\n", pid, si->name, (unsigned)extra_base,
872 extra_len);
873 }
874 /* set the len here to show the full extent of the segment we
875 * just loaded, mostly for debugging */
876 len = (((unsigned)base + phdr->p_vaddr + phdr->p_memsz +
877 PAGE_SIZE - 1) & (~PAGE_MASK)) - (unsigned)pbase;
878 TRACE("[ %5d - Successfully loaded segment from '%s' @ 0x%08x "
879 "(0x%08x). p_vaddr=0x%08x p_offset=0x%08x\n", pid, si->name,
880 (unsigned)pbase, len, phdr->p_vaddr, phdr->p_offset);
881 total_sz += len;
882 /* Make the section writable just in case we'll have to write to
883 * it during relocation (i.e. text segment). However, we will
884 * remember what range of addresses should be write protected.
885 *
886 */
887 if (!(phdr->p_flags & PF_W)) {
888 if ((unsigned)pbase < si->wrprotect_start)
889 si->wrprotect_start = (unsigned)pbase;
890 if (((unsigned)pbase + len) > si->wrprotect_end)
891 si->wrprotect_end = (unsigned)pbase + len;
892 mprotect(pbase, len,
893 PFLAGS_TO_PROT(phdr->p_flags) | PROT_WRITE);
894 }
895 } else if (phdr->p_type == PT_DYNAMIC) {
896 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid);
897 /* this segment contains the dynamic linking information */
898 si->dynamic = (unsigned *)(base + phdr->p_vaddr);
899 } else {
900 #ifdef ANDROID_ARM_LINKER
901 if (phdr->p_type == PT_ARM_EXIDX) {
902 DEBUG_DUMP_PHDR(phdr, "PT_ARM_EXIDX", pid);
903 /* exidx entries (used for stack unwinding) are 8 bytes each.
904 */
905 si->ARM_exidx = (unsigned *)phdr->p_vaddr;
906 si->ARM_exidx_count = phdr->p_memsz / 8;
907 }
908 #endif
909 }
910
911 }
912
913 /* Sanity check */
914 if (total_sz > si->size) {
915 DL_ERR("%5d - Total length (0x%08x) of mapped segments from '%s' is "
916 "greater than what was allocated (0x%08x). THIS IS BAD!",
917 pid, total_sz, si->name, si->size);
918 goto fail;
919 }
920
921 TRACE("[ %5d - Finish loading segments for '%s' @ 0x%08x. "
922 "Total memory footprint: 0x%08x bytes ]\n", pid, si->name,
923 (unsigned)si->base, si->size);
924 return 0;
925
926 fail:
927 /* We can just blindly unmap the entire region even though some things
928 * were mapped in originally with anonymous and others could have been
929 * been mapped in from the file before we failed. The kernel will unmap
930 * all the pages in the range, irrespective of how they got there.
931 */
932 munmap((void *)si->base, si->size);
933 si->flags |= FLAG_ERROR;
934 return -1;
935 }
936
937 /* TODO: Implement this to take care of the fact that Android ARM
938 * ELF objects shove everything into a single loadable segment that has the
939 * write bit set. wr_offset is then used to set non-(data|bss) pages to be
940 * non-writable.
941 */
942 #if 0
943 static unsigned
944 get_wr_offset(int fd, const char *name, Elf32_Ehdr *ehdr)
945 {
946 Elf32_Shdr *shdr_start;
947 Elf32_Shdr *shdr;
948 int shdr_sz = ehdr->e_shnum * sizeof(Elf32_Shdr);
949 int cnt;
950 unsigned wr_offset = 0xffffffff;
951
952 shdr_start = mmap(0, shdr_sz, PROT_READ, MAP_PRIVATE, fd,
953 ehdr->e_shoff & (~PAGE_MASK));
954 if (shdr_start == MAP_FAILED) {
955 WARN("%5d - Could not read section header info from '%s'. Will not "
956 "not be able to determine write-protect offset.\n", pid, name);
957 return (unsigned)-1;
958 }
959
960 for(cnt = 0, shdr = shdr_start; cnt < ehdr->e_shnum; ++cnt, ++shdr) {
961 if ((shdr->sh_type != SHT_NULL) && (shdr->sh_flags & SHF_WRITE) &&
962 (shdr->sh_addr < wr_offset)) {
963 wr_offset = shdr->sh_addr;
964 }
965 }
966
967 munmap(shdr_start, shdr_sz);
968 return wr_offset;
969 }
970 #endif
971
972 static soinfo *
load_library(const char * name)973 load_library(const char *name)
974 {
975 int fd = open_library(name);
976 int cnt;
977 unsigned ext_sz;
978 unsigned req_base;
979 const char *bname;
980 soinfo *si = NULL;
981 Elf32_Ehdr *hdr;
982
983 if(fd == -1) {
984 DL_ERR("Library '%s' not found", name);
985 return NULL;
986 }
987
988 /* We have to read the ELF header to figure out what to do with this image
989 */
990 if (lseek(fd, 0, SEEK_SET) < 0) {
991 DL_ERR("lseek() failed!");
992 goto fail;
993 }
994
995 if ((cnt = read(fd, &__header[0], PAGE_SIZE)) < 0) {
996 DL_ERR("read() failed!");
997 goto fail;
998 }
999
1000 /* Parse the ELF header and get the size of the memory footprint for
1001 * the library */
1002 req_base = get_lib_extents(fd, name, &__header[0], &ext_sz);
1003 if (req_base == (unsigned)-1)
1004 goto fail;
1005 TRACE("[ %5d - '%s' (%s) wants base=0x%08x sz=0x%08x ]\n", pid, name,
1006 (req_base ? "prelinked" : "not pre-linked"), req_base, ext_sz);
1007
1008 /* Now configure the soinfo struct where we'll store all of our data
1009 * for the ELF object. If the loading fails, we waste the entry, but
1010 * same thing would happen if we failed during linking. Configuring the
1011 * soinfo struct here is a lot more convenient.
1012 */
1013 bname = strrchr(name, '/');
1014 si = alloc_info(bname ? bname + 1 : name);
1015 if (si == NULL)
1016 goto fail;
1017
1018 /* Carve out a chunk of memory where we will map in the individual
1019 * segments */
1020 si->base = req_base;
1021 si->size = ext_sz;
1022 si->flags = 0;
1023 si->entry = 0;
1024 si->dynamic = (unsigned *)-1;
1025 if (alloc_mem_region(si) < 0)
1026 goto fail;
1027
1028 TRACE("[ %5d allocated memory for %s @ %p (0x%08x) ]\n",
1029 pid, name, (void *)si->base, (unsigned) ext_sz);
1030
1031 /* Now actually load the library's segments into right places in memory */
1032 if (load_segments(fd, &__header[0], si) < 0) {
1033 if (si->ba_index >= 0) {
1034 ba_free(si->ba_index);
1035 si->ba_index = -1;
1036 }
1037 goto fail;
1038 }
1039
1040 /* this might not be right. Technically, we don't even need this info
1041 * once we go through 'load_segments'. */
1042 hdr = (Elf32_Ehdr *)si->base;
1043 si->phdr = (Elf32_Phdr *)((unsigned char *)si->base + hdr->e_phoff);
1044 si->phnum = hdr->e_phnum;
1045 /**/
1046
1047 close(fd);
1048 return si;
1049
1050 fail:
1051 if (si) free_info(si);
1052 close(fd);
1053 return NULL;
1054 }
1055
1056 static soinfo *
init_library(soinfo * si)1057 init_library(soinfo *si)
1058 {
1059 unsigned wr_offset = 0xffffffff;
1060
1061 /* At this point we know that whatever is loaded @ base is a valid ELF
1062 * shared library whose segments are properly mapped in. */
1063 TRACE("[ %5d init_library base=0x%08x sz=0x%08x name='%s') ]\n",
1064 pid, si->base, si->size, si->name);
1065
1066 if (si->base < LIBBASE || si->base >= LIBLAST)
1067 si->flags |= FLAG_PRELINKED;
1068
1069 if(link_image(si, wr_offset)) {
1070 /* We failed to link. However, we can only restore libbase
1071 ** if no additional libraries have moved it since we updated it.
1072 */
1073 munmap((void *)si->base, si->size);
1074 return NULL;
1075 }
1076
1077 return si;
1078 }
1079
find_library(const char * name)1080 soinfo *find_library(const char *name)
1081 {
1082 soinfo *si;
1083 const char *bname = strrchr(name, '/');
1084 bname = bname ? bname + 1 : name;
1085
1086 for(si = solist; si != 0; si = si->next){
1087 if(!strcmp(bname, si->name)) {
1088 if(si->flags & FLAG_ERROR) return 0;
1089 if(si->flags & FLAG_LINKED) return si;
1090 DL_ERR("OOPS: %5d recursive link to '%s'", pid, si->name);
1091 return NULL;
1092 }
1093 }
1094
1095 TRACE("[ %5d '%s' has not been loaded yet. Locating...]\n", pid, name);
1096 si = load_library(name);
1097 if(si == NULL)
1098 return NULL;
1099 return init_library(si);
1100 }
1101
1102 /* TODO:
1103 * notify gdb of unload
1104 * for non-prelinked libraries, find a way to decrement libbase
1105 */
1106 static void call_destructors(soinfo *si);
unload_library(soinfo * si)1107 unsigned unload_library(soinfo *si)
1108 {
1109 unsigned *d;
1110 if (si->refcount == 1) {
1111 TRACE("%5d unloading '%s'\n", pid, si->name);
1112 call_destructors(si);
1113
1114 for(d = si->dynamic; *d; d += 2) {
1115 if(d[0] == DT_NEEDED){
1116 TRACE("%5d %s needs to unload %s\n", pid,
1117 si->name, si->strtab + d[1]);
1118 soinfo *lsi = find_library(si->strtab + d[1]);
1119 if(lsi)
1120 unload_library(lsi);
1121 else
1122 DL_ERR("%5d could not unload '%s'",
1123 pid, si->strtab + d[1]);
1124 }
1125 }
1126
1127 munmap((char *)si->base, si->size);
1128 if (si->ba_index >= 0) {
1129 PRINT("%5d releasing library '%s' address space at %08x "\
1130 "through buddy allocator.\n",
1131 pid, si->name, si->base);
1132 ba_free(si->ba_index);
1133 }
1134 notify_gdb_of_unload(si);
1135 free_info(si);
1136 si->refcount = 0;
1137 }
1138 else {
1139 si->refcount--;
1140 PRINT("%5d not unloading '%s', decrementing refcount to %d\n",
1141 pid, si->name, si->refcount);
1142 }
1143 return si->refcount;
1144 }
1145
1146 /* TODO: don't use unsigned for addrs below. It works, but is not
1147 * ideal. They should probably be either uint32_t, Elf32_Addr, or unsigned
1148 * long.
1149 */
reloc_library(soinfo * si,Elf32_Rel * rel,unsigned count)1150 static int reloc_library(soinfo *si, Elf32_Rel *rel, unsigned count)
1151 {
1152 Elf32_Sym *symtab = si->symtab;
1153 const char *strtab = si->strtab;
1154 Elf32_Sym *s;
1155 unsigned base;
1156 Elf32_Rel *start = rel;
1157 unsigned idx;
1158
1159 for (idx = 0; idx < count; ++idx) {
1160 unsigned type = ELF32_R_TYPE(rel->r_info);
1161 unsigned sym = ELF32_R_SYM(rel->r_info);
1162 unsigned reloc = (unsigned)(rel->r_offset + si->base);
1163 unsigned sym_addr = 0;
1164 char *sym_name = NULL;
1165
1166 DEBUG("%5d Processing '%s' relocation at index %d\n", pid,
1167 si->name, idx);
1168 if(sym != 0) {
1169 sym_name = (char *)(strtab + symtab[sym].st_name);
1170 s = _do_lookup(si, sym_name, &base);
1171 if(s == 0) {
1172 DL_ERR("%5d cannot locate '%s'...", pid, sym_name);
1173 return -1;
1174 }
1175 #if 0
1176 if((base == 0) && (si->base != 0)){
1177 /* linking from libraries to main image is bad */
1178 DL_ERR("%5d cannot locate '%s'...",
1179 pid, strtab + symtab[sym].st_name);
1180 return -1;
1181 }
1182 #endif
1183 if ((s->st_shndx == SHN_UNDEF) && (s->st_value != 0)) {
1184 DL_ERR("%5d In '%s', shndx=%d && value=0x%08x. We do not "
1185 "handle this yet", pid, si->name, s->st_shndx,
1186 s->st_value);
1187 return -1;
1188 }
1189 sym_addr = (unsigned)(s->st_value + base);
1190 COUNT_RELOC(RELOC_SYMBOL);
1191 } else {
1192 s = 0;
1193 }
1194
1195 /* TODO: This is ugly. Split up the relocations by arch into
1196 * different files.
1197 */
1198 switch(type){
1199 #if defined(ANDROID_ARM_LINKER)
1200 case R_ARM_JUMP_SLOT:
1201 COUNT_RELOC(RELOC_ABSOLUTE);
1202 MARK(rel->r_offset);
1203 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid,
1204 reloc, sym_addr, sym_name);
1205 *((unsigned*)reloc) = sym_addr;
1206 break;
1207 case R_ARM_GLOB_DAT:
1208 COUNT_RELOC(RELOC_ABSOLUTE);
1209 MARK(rel->r_offset);
1210 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid,
1211 reloc, sym_addr, sym_name);
1212 *((unsigned*)reloc) = sym_addr;
1213 break;
1214 case R_ARM_ABS32:
1215 COUNT_RELOC(RELOC_ABSOLUTE);
1216 MARK(rel->r_offset);
1217 TRACE_TYPE(RELO, "%5d RELO ABS %08x <- %08x %s\n", pid,
1218 reloc, sym_addr, sym_name);
1219 *((unsigned*)reloc) += sym_addr;
1220 break;
1221 #elif defined(ANDROID_X86_LINKER)
1222 case R_386_JUMP_SLOT:
1223 COUNT_RELOC(RELOC_ABSOLUTE);
1224 MARK(rel->r_offset);
1225 TRACE_TYPE(RELO, "%5d RELO JMP_SLOT %08x <- %08x %s\n", pid,
1226 reloc, sym_addr, sym_name);
1227 *((unsigned*)reloc) = sym_addr;
1228 break;
1229 case R_386_GLOB_DAT:
1230 COUNT_RELOC(RELOC_ABSOLUTE);
1231 MARK(rel->r_offset);
1232 TRACE_TYPE(RELO, "%5d RELO GLOB_DAT %08x <- %08x %s\n", pid,
1233 reloc, sym_addr, sym_name);
1234 *((unsigned*)reloc) = sym_addr;
1235 break;
1236 #endif /* ANDROID_*_LINKER */
1237
1238 #if defined(ANDROID_ARM_LINKER)
1239 case R_ARM_RELATIVE:
1240 #elif defined(ANDROID_X86_LINKER)
1241 case R_386_RELATIVE:
1242 #endif /* ANDROID_*_LINKER */
1243 COUNT_RELOC(RELOC_RELATIVE);
1244 MARK(rel->r_offset);
1245 if(sym){
1246 DL_ERR("%5d odd RELATIVE form...", pid);
1247 return -1;
1248 }
1249 TRACE_TYPE(RELO, "%5d RELO RELATIVE %08x <- +%08x\n", pid,
1250 reloc, si->base);
1251 *((unsigned*)reloc) += si->base;
1252 break;
1253
1254 #if defined(ANDROID_X86_LINKER)
1255 case R_386_32:
1256 COUNT_RELOC(RELOC_RELATIVE);
1257 MARK(rel->r_offset);
1258
1259 TRACE_TYPE(RELO, "%5d RELO R_386_32 %08x <- +%08x %s\n", pid,
1260 reloc, sym_addr, sym_name);
1261 *((unsigned *)reloc) += (unsigned)sym_addr;
1262 break;
1263
1264 case R_386_PC32:
1265 COUNT_RELOC(RELOC_RELATIVE);
1266 MARK(rel->r_offset);
1267 TRACE_TYPE(RELO, "%5d RELO R_386_PC32 %08x <- "
1268 "+%08x (%08x - %08x) %s\n", pid, reloc,
1269 (sym_addr - reloc), sym_addr, reloc, sym_name);
1270 *((unsigned *)reloc) += (unsigned)(sym_addr - reloc);
1271 break;
1272 #endif /* ANDROID_X86_LINKER */
1273
1274 #ifdef ANDROID_ARM_LINKER
1275 case R_ARM_COPY:
1276 COUNT_RELOC(RELOC_COPY);
1277 MARK(rel->r_offset);
1278 TRACE_TYPE(RELO, "%5d RELO %08x <- %d @ %08x %s\n", pid,
1279 reloc, s->st_size, sym_addr, sym_name);
1280 memcpy((void*)reloc, (void*)sym_addr, s->st_size);
1281 break;
1282 case R_ARM_NONE:
1283 break;
1284 #endif /* ANDROID_ARM_LINKER */
1285
1286 default:
1287 DL_ERR("%5d unknown reloc type %d @ %p (%d)",
1288 pid, type, rel, (int) (rel - start));
1289 return -1;
1290 }
1291 rel++;
1292 }
1293 return 0;
1294 }
1295
1296
1297 /* Please read the "Initialization and Termination functions" functions.
1298 * of the linker design note in bionic/linker/README.TXT to understand
1299 * what the following code is doing.
1300 *
1301 * The important things to remember are:
1302 *
1303 * DT_PREINIT_ARRAY must be called first for executables, and should
1304 * not appear in shared libraries.
1305 *
1306 * DT_INIT should be called before DT_INIT_ARRAY if both are present
1307 *
1308 * DT_FINI should be called after DT_FINI_ARRAY if both are present
1309 *
1310 * DT_FINI_ARRAY must be parsed in reverse order.
1311 */
1312
call_array(unsigned * ctor,int count,int reverse)1313 static void call_array(unsigned *ctor, int count, int reverse)
1314 {
1315 int n, inc = 1;
1316
1317 if (reverse) {
1318 ctor += (count-1);
1319 inc = -1;
1320 }
1321
1322 for(n = count; n > 0; n--) {
1323 TRACE("[ %5d Looking at %s *0x%08x == 0x%08x ]\n", pid,
1324 reverse ? "dtor" : "ctor",
1325 (unsigned)ctor, (unsigned)*ctor);
1326 void (*func)() = (void (*)()) *ctor;
1327 ctor += inc;
1328 if(((int) func == 0) || ((int) func == -1)) continue;
1329 TRACE("[ %5d Calling func @ 0x%08x ]\n", pid, (unsigned)func);
1330 func();
1331 }
1332 }
1333
call_constructors(soinfo * si)1334 static void call_constructors(soinfo *si)
1335 {
1336 if (si->flags & FLAG_EXE) {
1337 TRACE("[ %5d Calling preinit_array @ 0x%08x [%d] for '%s' ]\n",
1338 pid, (unsigned)si->preinit_array, si->preinit_array_count,
1339 si->name);
1340 call_array(si->preinit_array, si->preinit_array_count, 0);
1341 TRACE("[ %5d Done calling preinit_array for '%s' ]\n", pid, si->name);
1342 } else {
1343 if (si->preinit_array) {
1344 DL_ERR("%5d Shared library '%s' has a preinit_array table @ 0x%08x."
1345 " This is INVALID.", pid, si->name,
1346 (unsigned)si->preinit_array);
1347 }
1348 }
1349
1350 if (si->init_func) {
1351 TRACE("[ %5d Calling init_func @ 0x%08x for '%s' ]\n", pid,
1352 (unsigned)si->init_func, si->name);
1353 si->init_func();
1354 TRACE("[ %5d Done calling init_func for '%s' ]\n", pid, si->name);
1355 }
1356
1357 if (si->init_array) {
1358 TRACE("[ %5d Calling init_array @ 0x%08x [%d] for '%s' ]\n", pid,
1359 (unsigned)si->init_array, si->init_array_count, si->name);
1360 call_array(si->init_array, si->init_array_count, 0);
1361 TRACE("[ %5d Done calling init_array for '%s' ]\n", pid, si->name);
1362 }
1363 }
1364
1365
call_destructors(soinfo * si)1366 static void call_destructors(soinfo *si)
1367 {
1368 if (si->fini_array) {
1369 TRACE("[ %5d Calling fini_array @ 0x%08x [%d] for '%s' ]\n", pid,
1370 (unsigned)si->fini_array, si->fini_array_count, si->name);
1371 call_array(si->fini_array, si->fini_array_count, 1);
1372 TRACE("[ %5d Done calling fini_array for '%s' ]\n", pid, si->name);
1373 }
1374
1375 if (si->fini_func) {
1376 TRACE("[ %5d Calling fini_func @ 0x%08x for '%s' ]\n", pid,
1377 (unsigned)si->fini_func, si->name);
1378 si->fini_func();
1379 TRACE("[ %5d Done calling fini_func for '%s' ]\n", pid, si->name);
1380 }
1381 }
1382
1383 /* Force any of the closed stdin, stdout and stderr to be associated with
1384 /dev/null. */
nullify_closed_stdio(void)1385 static int nullify_closed_stdio (void)
1386 {
1387 int dev_null, i, status;
1388 int return_value = 0;
1389
1390 dev_null = open("/dev/null", O_RDWR);
1391 if (dev_null < 0) {
1392 DL_ERR("Cannot open /dev/null.");
1393 return -1;
1394 }
1395 TRACE("[ %5d Opened /dev/null file-descriptor=%d]\n", pid, dev_null);
1396
1397 /* If any of the stdio file descriptors is valid and not associated
1398 with /dev/null, dup /dev/null to it. */
1399 for (i = 0; i < 3; i++) {
1400 /* If it is /dev/null already, we are done. */
1401 if (i == dev_null)
1402 continue;
1403
1404 TRACE("[ %5d Nullifying stdio file descriptor %d]\n", pid, i);
1405 /* The man page of fcntl does not say that fcntl(..,F_GETFL)
1406 can be interrupted but we do this just to be safe. */
1407 do {
1408 status = fcntl(i, F_GETFL);
1409 } while (status < 0 && errno == EINTR);
1410
1411 /* If file is openned, we are good. */
1412 if (status >= 0)
1413 continue;
1414
1415 /* The only error we allow is that the file descriptor does not
1416 exist, in which case we dup /dev/null to it. */
1417 if (errno != EBADF) {
1418 DL_ERR("nullify_stdio: unhandled error %s", strerror(errno));
1419 return_value = -1;
1420 continue;
1421 }
1422
1423 /* Try dupping /dev/null to this stdio file descriptor and
1424 repeat if there is a signal. Note that any errors in closing
1425 the stdio descriptor are lost. */
1426 do {
1427 status = dup2(dev_null, i);
1428 } while (status < 0 && errno == EINTR);
1429
1430 if (status < 0) {
1431 DL_ERR("nullify_stdio: dup2 error %s", strerror(errno));
1432 return_value = -1;
1433 continue;
1434 }
1435 }
1436
1437 /* If /dev/null is not one of the stdio file descriptors, close it. */
1438 if (dev_null > 2) {
1439 TRACE("[ %5d Closing /dev/null file-descriptor=%d]\n", pid, dev_null);
1440 do {
1441 status = close(dev_null);
1442 } while (status < 0 && errno == EINTR);
1443
1444 if (status < 0) {
1445 DL_ERR("nullify_stdio: close error %s", strerror(errno));
1446 return_value = -1;
1447 }
1448 }
1449
1450 return return_value;
1451 }
1452
link_image(soinfo * si,unsigned wr_offset)1453 static int link_image(soinfo *si, unsigned wr_offset)
1454 {
1455 unsigned *d;
1456 Elf32_Phdr *phdr = si->phdr;
1457 int phnum = si->phnum;
1458
1459 INFO("[ %5d linking %s ]\n", pid, si->name);
1460 DEBUG("%5d si->base = 0x%08x si->flags = 0x%08x\n", pid,
1461 si->base, si->flags);
1462
1463 if (si->flags & FLAG_EXE) {
1464 /* Locate the needed program segments (DYNAMIC/ARM_EXIDX) for
1465 * linkage info if this is the executable. If this was a
1466 * dynamic lib, that would have been done at load time.
1467 *
1468 * TODO: It's unfortunate that small pieces of this are
1469 * repeated from the load_library routine. Refactor this just
1470 * slightly to reuse these bits.
1471 */
1472 si->size = 0;
1473 for(; phnum > 0; --phnum, ++phdr) {
1474 #ifdef ANDROID_ARM_LINKER
1475 if(phdr->p_type == PT_ARM_EXIDX) {
1476 /* exidx entries (used for stack unwinding) are 8 bytes each.
1477 */
1478 si->ARM_exidx = (unsigned *)phdr->p_vaddr;
1479 si->ARM_exidx_count = phdr->p_memsz / 8;
1480 }
1481 #endif
1482 if (phdr->p_type == PT_LOAD) {
1483 /* For the executable, we use the si->size field only in
1484 dl_unwind_find_exidx(), so the meaning of si->size
1485 is not the size of the executable; it is the last
1486 virtual address of the loadable part of the executable;
1487 since si->base == 0 for an executable, we use the
1488 range [0, si->size) to determine whether a PC value
1489 falls within the executable section. Of course, if
1490 a value is below phdr->p_vaddr, it's not in the
1491 executable section, but a) we shouldn't be asking for
1492 such a value anyway, and b) if we have to provide
1493 an EXIDX for such a value, then the executable's
1494 EXIDX is probably the better choice.
1495 */
1496 DEBUG_DUMP_PHDR(phdr, "PT_LOAD", pid);
1497 if (phdr->p_vaddr + phdr->p_memsz > si->size)
1498 si->size = phdr->p_vaddr + phdr->p_memsz;
1499 /* try to remember what range of addresses should be write
1500 * protected */
1501 if (!(phdr->p_flags & PF_W)) {
1502 unsigned _end;
1503
1504 if (phdr->p_vaddr < si->wrprotect_start)
1505 si->wrprotect_start = phdr->p_vaddr;
1506 _end = (((phdr->p_vaddr + phdr->p_memsz + PAGE_SIZE - 1) &
1507 (~PAGE_MASK)));
1508 if (_end > si->wrprotect_end)
1509 si->wrprotect_end = _end;
1510 }
1511 } else if (phdr->p_type == PT_DYNAMIC) {
1512 if (si->dynamic != (unsigned *)-1) {
1513 DL_ERR("%5d multiple PT_DYNAMIC segments found in '%s'. "
1514 "Segment at 0x%08x, previously one found at 0x%08x",
1515 pid, si->name, si->base + phdr->p_vaddr,
1516 (unsigned)si->dynamic);
1517 goto fail;
1518 }
1519 DEBUG_DUMP_PHDR(phdr, "PT_DYNAMIC", pid);
1520 si->dynamic = (unsigned *) (si->base + phdr->p_vaddr);
1521 }
1522 }
1523 }
1524
1525 if (si->dynamic == (unsigned *)-1) {
1526 DL_ERR("%5d missing PT_DYNAMIC?!", pid);
1527 goto fail;
1528 }
1529
1530 DEBUG("%5d dynamic = %p\n", pid, si->dynamic);
1531
1532 /* extract useful information from dynamic section */
1533 for(d = si->dynamic; *d; d++){
1534 DEBUG("%5d d = %p, d[0] = 0x%08x d[1] = 0x%08x\n", pid, d, d[0], d[1]);
1535 switch(*d++){
1536 case DT_HASH:
1537 si->nbucket = ((unsigned *) (si->base + *d))[0];
1538 si->nchain = ((unsigned *) (si->base + *d))[1];
1539 si->bucket = (unsigned *) (si->base + *d + 8);
1540 si->chain = (unsigned *) (si->base + *d + 8 + si->nbucket * 4);
1541 break;
1542 case DT_STRTAB:
1543 si->strtab = (const char *) (si->base + *d);
1544 break;
1545 case DT_SYMTAB:
1546 si->symtab = (Elf32_Sym *) (si->base + *d);
1547 break;
1548 case DT_PLTREL:
1549 if(*d != DT_REL) {
1550 DL_ERR("DT_RELA not supported");
1551 goto fail;
1552 }
1553 break;
1554 case DT_JMPREL:
1555 si->plt_rel = (Elf32_Rel*) (si->base + *d);
1556 break;
1557 case DT_PLTRELSZ:
1558 si->plt_rel_count = *d / 8;
1559 break;
1560 case DT_REL:
1561 si->rel = (Elf32_Rel*) (si->base + *d);
1562 break;
1563 case DT_RELSZ:
1564 si->rel_count = *d / 8;
1565 break;
1566 case DT_PLTGOT:
1567 /* Save this in case we decide to do lazy binding. We don't yet. */
1568 si->plt_got = (unsigned *)(si->base + *d);
1569 break;
1570 case DT_DEBUG:
1571 // Set the DT_DEBUG entry to the addres of _r_debug for GDB
1572 *d = (int) &_r_debug;
1573 break;
1574 case DT_RELA:
1575 DL_ERR("%5d DT_RELA not supported", pid);
1576 goto fail;
1577 case DT_INIT:
1578 si->init_func = (void (*)(void))(si->base + *d);
1579 DEBUG("%5d %s constructors (init func) found at %p\n",
1580 pid, si->name, si->init_func);
1581 break;
1582 case DT_FINI:
1583 si->fini_func = (void (*)(void))(si->base + *d);
1584 DEBUG("%5d %s destructors (fini func) found at %p\n",
1585 pid, si->name, si->fini_func);
1586 break;
1587 case DT_INIT_ARRAY:
1588 si->init_array = (unsigned *)(si->base + *d);
1589 DEBUG("%5d %s constructors (init_array) found at %p\n",
1590 pid, si->name, si->init_array);
1591 break;
1592 case DT_INIT_ARRAYSZ:
1593 si->init_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1594 break;
1595 case DT_FINI_ARRAY:
1596 si->fini_array = (unsigned *)(si->base + *d);
1597 DEBUG("%5d %s destructors (fini_array) found at %p\n",
1598 pid, si->name, si->fini_array);
1599 break;
1600 case DT_FINI_ARRAYSZ:
1601 si->fini_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1602 break;
1603 case DT_PREINIT_ARRAY:
1604 si->preinit_array = (unsigned *)(si->base + *d);
1605 DEBUG("%5d %s constructors (preinit_array) found at %p\n",
1606 pid, si->name, si->preinit_array);
1607 break;
1608 case DT_PREINIT_ARRAYSZ:
1609 si->preinit_array_count = ((unsigned)*d) / sizeof(Elf32_Addr);
1610 break;
1611 case DT_TEXTREL:
1612 /* TODO: make use of this. */
1613 /* this means that we might have to write into where the text
1614 * segment was loaded during relocation... Do something with
1615 * it.
1616 */
1617 DEBUG("%5d Text segment should be writable during relocation.\n",
1618 pid);
1619 break;
1620 }
1621 }
1622
1623 DEBUG("%5d si->base = 0x%08x, si->strtab = %p, si->symtab = %p\n",
1624 pid, si->base, si->strtab, si->symtab);
1625
1626 if((si->strtab == 0) || (si->symtab == 0)) {
1627 DL_ERR("%5d missing essential tables", pid);
1628 goto fail;
1629 }
1630
1631 for(d = si->dynamic; *d; d += 2) {
1632 if(d[0] == DT_NEEDED){
1633 DEBUG("%5d %s needs %s\n", pid, si->name, si->strtab + d[1]);
1634 soinfo *lsi = find_library(si->strtab + d[1]);
1635 if(lsi == 0) {
1636 strlcpy(tmp_err_buf, linker_get_error(), sizeof(tmp_err_buf));
1637 DL_ERR("%5d could not load needed library '%s' for '%s' (%s)",
1638 pid, si->strtab + d[1], si->name, tmp_err_buf);
1639 goto fail;
1640 }
1641 lsi->refcount++;
1642 }
1643 }
1644
1645 if(si->plt_rel) {
1646 DEBUG("[ %5d relocating %s plt ]\n", pid, si->name );
1647 if(reloc_library(si, si->plt_rel, si->plt_rel_count))
1648 goto fail;
1649 }
1650 if(si->rel) {
1651 DEBUG("[ %5d relocating %s ]\n", pid, si->name );
1652 if(reloc_library(si, si->rel, si->rel_count))
1653 goto fail;
1654 }
1655
1656 si->flags |= FLAG_LINKED;
1657 DEBUG("[ %5d finished linking %s ]\n", pid, si->name);
1658
1659 #if 0
1660 /* This is the way that the old dynamic linker did protection of
1661 * non-writable areas. It would scan section headers and find where
1662 * .text ended (rather where .data/.bss began) and assume that this is
1663 * the upper range of the non-writable area. This is too coarse,
1664 * and is kept here for reference until we fully move away from single
1665 * segment elf objects. See the code in get_wr_offset (also #if'd 0)
1666 * that made this possible.
1667 */
1668 if(wr_offset < 0xffffffff){
1669 mprotect((void*) si->base, wr_offset, PROT_READ | PROT_EXEC);
1670 }
1671 #else
1672 /* TODO: Verify that this does the right thing in all cases, as it
1673 * presently probably does not. It is possible that an ELF image will
1674 * come with multiple read-only segments. What we ought to do is scan
1675 * the program headers again and mprotect all the read-only segments.
1676 * To prevent re-scanning the program header, we would have to build a
1677 * list of loadable segments in si, and then scan that instead. */
1678 if (si->wrprotect_start != 0xffffffff && si->wrprotect_end != 0) {
1679 mprotect((void *)si->wrprotect_start,
1680 si->wrprotect_end - si->wrprotect_start,
1681 PROT_READ | PROT_EXEC);
1682 }
1683 #endif
1684
1685 /* If this is a SET?ID program, dup /dev/null to opened stdin,
1686 stdout and stderr to close a security hole described in:
1687
1688 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc
1689
1690 */
1691 if (getuid() != geteuid() || getgid() != getegid())
1692 nullify_closed_stdio ();
1693 call_constructors(si);
1694 notify_gdb_of_load(si);
1695 return 0;
1696
1697 fail:
1698 ERROR("failed to link %s\n", si->name);
1699 si->flags |= FLAG_ERROR;
1700 return -1;
1701 }
1702
parse_library_path(char * path,char * delim)1703 static void parse_library_path(char *path, char *delim)
1704 {
1705 size_t len;
1706 char *ldpaths_bufp = ldpaths_buf;
1707 int i = 0;
1708
1709 len = strlcpy(ldpaths_buf, path, sizeof(ldpaths_buf));
1710
1711 while (i < LDPATH_MAX && (ldpaths[i] = strsep(&ldpaths_bufp, delim))) {
1712 if (*ldpaths[i] != '\0')
1713 ++i;
1714 }
1715
1716 /* Forget the last path if we had to truncate; this occurs if the 2nd to
1717 * last char isn't '\0' (i.e. not originally a delim). */
1718 if (i > 0 && len >= sizeof(ldpaths_buf) &&
1719 ldpaths_buf[sizeof(ldpaths_buf) - 2] != '\0') {
1720 ldpaths[i - 1] = NULL;
1721 } else {
1722 ldpaths[i] = NULL;
1723 }
1724 }
1725
main(int argc,char ** argv)1726 int main(int argc, char **argv)
1727 {
1728 return 0;
1729 }
1730
1731 #define ANDROID_TLS_SLOTS BIONIC_TLS_SLOTS
1732
1733 static void * __tls_area[ANDROID_TLS_SLOTS];
1734
__linker_init(unsigned ** elfdata)1735 unsigned __linker_init(unsigned **elfdata)
1736 {
1737 static soinfo linker_soinfo;
1738
1739 int argc = (int) *elfdata;
1740 char **argv = (char**) (elfdata + 1);
1741 unsigned *vecs = (unsigned*) (argv + argc + 1);
1742 soinfo *si;
1743 struct link_map * map;
1744 char *ldpath_env = NULL;
1745
1746 /* Setup a temporary TLS area that is used to get a working
1747 * errno for system calls.
1748 */
1749 __set_tls(__tls_area);
1750
1751 pid = getpid();
1752
1753 #if TIMING
1754 struct timeval t0, t1;
1755 gettimeofday(&t0, 0);
1756 #endif
1757
1758 /* NOTE: we store the elfdata pointer on a special location
1759 * of the temporary TLS area in order to pass it to
1760 * the C Library's runtime initializer.
1761 *
1762 * The initializer must clear the slot and reset the TLS
1763 * to point to a different location to ensure that no other
1764 * shared library constructor can access it.
1765 */
1766 __tls_area[TLS_SLOT_BIONIC_PREINIT] = elfdata;
1767
1768 debugger_init();
1769
1770 /* skip past the environment */
1771 while(vecs[0] != 0) {
1772 if(!strncmp((char*) vecs[0], "DEBUG=", 6)) {
1773 debug_verbosity = atoi(((char*) vecs[0]) + 6);
1774 } else if(!strncmp((char*) vecs[0], "LD_LIBRARY_PATH=", 16)) {
1775 ldpath_env = (char*) vecs[0] + 16;
1776 }
1777 vecs++;
1778 }
1779 vecs++;
1780
1781 INFO("[ android linker & debugger ]\n");
1782 DEBUG("%5d elfdata @ 0x%08x\n", pid, (unsigned)elfdata);
1783
1784 si = alloc_info(argv[0]);
1785 if(si == 0) {
1786 exit(-1);
1787 }
1788
1789 /* bootstrap the link map, the main exe always needs to be first */
1790 si->flags |= FLAG_EXE;
1791 map = &(si->linkmap);
1792
1793 map->l_addr = 0;
1794 map->l_name = argv[0];
1795 map->l_prev = NULL;
1796 map->l_next = NULL;
1797
1798 _r_debug.r_map = map;
1799 r_debug_tail = map;
1800
1801 /* gdb expects the linker to be in the debug shared object list,
1802 * and we need to make sure that the reported load address is zero.
1803 * Without this, gdb gets the wrong idea of where rtld_db_dlactivity()
1804 * is. Don't use alloc_info(), because the linker shouldn't
1805 * be on the soinfo list.
1806 */
1807 strcpy((char*) linker_soinfo.name, "/system/bin/linker");
1808 linker_soinfo.flags = 0;
1809 linker_soinfo.base = 0; // This is the important part; must be zero.
1810 insert_soinfo_into_debug_map(&linker_soinfo);
1811
1812 /* extract information passed from the kernel */
1813 while(vecs[0] != 0){
1814 switch(vecs[0]){
1815 case AT_PHDR:
1816 si->phdr = (Elf32_Phdr*) vecs[1];
1817 break;
1818 case AT_PHNUM:
1819 si->phnum = (int) vecs[1];
1820 break;
1821 case AT_ENTRY:
1822 si->entry = vecs[1];
1823 break;
1824 }
1825 vecs += 2;
1826 }
1827
1828 ba_init();
1829
1830 si->base = 0;
1831 si->dynamic = (unsigned *)-1;
1832 si->wrprotect_start = 0xffffffff;
1833 si->wrprotect_end = 0;
1834
1835 /* Use LD_LIBRARY_PATH if we aren't setuid/setgid */
1836 if (ldpath_env && getuid() == geteuid() && getgid() == getegid())
1837 parse_library_path(ldpath_env, ":");
1838
1839 if(link_image(si, 0)) {
1840 char errmsg[] = "CANNOT LINK EXECUTABLE\n";
1841 write(2, __linker_dl_err_buf, strlen(__linker_dl_err_buf));
1842 write(2, errmsg, sizeof(errmsg));
1843 exit(-1);
1844 }
1845
1846 #if TIMING
1847 gettimeofday(&t1,NULL);
1848 PRINT("LINKER TIME: %s: %d microseconds\n", argv[0], (int) (
1849 (((long long)t1.tv_sec * 1000000LL) + (long long)t1.tv_usec) -
1850 (((long long)t0.tv_sec * 1000000LL) + (long long)t0.tv_usec)
1851 ));
1852 #endif
1853 #if STATS
1854 PRINT("RELO STATS: %s: %d abs, %d rel, %d copy, %d symbol\n", argv[0],
1855 linker_stats.reloc[RELOC_ABSOLUTE],
1856 linker_stats.reloc[RELOC_RELATIVE],
1857 linker_stats.reloc[RELOC_COPY],
1858 linker_stats.reloc[RELOC_SYMBOL]);
1859 #endif
1860 #if COUNT_PAGES
1861 {
1862 unsigned n;
1863 unsigned i;
1864 unsigned count = 0;
1865 for(n = 0; n < 4096; n++){
1866 if(bitmask[n]){
1867 unsigned x = bitmask[n];
1868 for(i = 0; i < 8; i++){
1869 if(x & 1) count++;
1870 x >>= 1;
1871 }
1872 }
1873 }
1874 PRINT("PAGES MODIFIED: %s: %d (%dKB)\n", argv[0], count, count * 4);
1875 }
1876 #endif
1877
1878 #if TIMING || STATS || COUNT_PAGES
1879 fflush(stdout);
1880 #endif
1881
1882 TRACE("[ %5d Ready to execute '%s' @ 0x%08x ]\n", pid, si->name,
1883 si->entry);
1884 return si->entry;
1885 }
1886